Can Kim Dotcom rescue secure email?

The exit last week of Lavabit and Silent Circle from the secure email realmÃ'Â has left some secret sharers looking for alternatives. Mega, the "privacy company" of online rogue Kim Dotcom, is one firm preparing to fill the void.

The service, founded by Dotcom after his previous online storage endeavor, Megaupload, was shutdown for fostering online piracy, is reported to be preparing some "hugely cutting edge stuff" in cryptography that it hopes to incorporate to secure email.

That won't be an easy task. Providing functionality that people expect and need, such as searching, fully on the client side could be a major challenge if the mail server can only see encrypted files, said Mega CEO Vikram Kumar.

Another challenge: "Dealing with other email providers which don't support Mega's encryption system," Kumar said in an email.

Key management can also be a snag for someone building a secure email service, said Agari's Vice President of Engineering, Ingrum Putz.

"It's a huge issue," Putz said in an interview. "You have to make sure users have the keys to encrypt messages to other people and decrypt your own messages."

Where the keys are stored can be an issue, too. Some systems -- like the now defunct Lavabit used by whistleblower Edward Snowden -- store keys on their servers and allow users to access them via password. The actual decryption took place on Lavabit's servers.

"The big concern is that if the government goes to a company like Lavabits and wants to look at the email on its servers, it can do so because all the information needed to decrypt that information is on its servers," said Matthew Green, a professor specializing in cryptography at Johns Hopkins University.

That host model of securing data requires trust from a user. "Since the host is doing the actual securing, customers have to trust the host to do it right, and do it consistently, and not to 'break their word' by turning over unencrypted data to third parties, like the NSA," said a source from Cryptocloud Secure Networking who wished to remain anonymous to "minimize extra-legal harassment."

"Since trust is always imperfect, the idea is that host-based security is a Bad Idea," the source said by email.

Currently, Mega is designed to store only encrypted data. All data is encrypted at the user's computer. That way, Mega doesn't know what's in the files and can't find out what's in them because the encryption keys remain on the user's machine.

"I would assume that's how Mega wants to build its email system," Green said. "Getting that to work right is really hard. There's a lot of challenges there. A lot can go wrong."

For example, Mega uses Javascript to encrypt and decrypt data. That can be problematic with email. In 2007, for instance, Hushmail, which was supposed to be a secure email system, at the behest of law enforcement, used javascript to scrape their customers' password so plaintext versions of their email could scrutinized.

"That essentially turned an assumed endpoint-security service model into a host-based model, which was then exploited by law enforcement organizations to break the system," the source from Cryptocloud said.

"So everyone is very leery of served javascript because it can be intentionally poisoned, or even intercepted mid-stream via BEAST toolkits and whatnot," the source said.

Even if encryption problems are solved, there's always the problem of metadata, which can't be encrypted and can be very useful for any kind of snoop. It includes the subject of a message, who the email is addressed to, who sent it and when it was sent.

"That information is extremely valuable," Green noted. "When the NSA was collecting data from Verizon, all it wanted was metadata. It didn't care about the phone calls themselves."

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.